0

I'm reading this blog and it says:

If the /proc/self/environ file can be accessed through LFI, then in this case “RCE” can be achieved by requesting the file in combination with the payload written into the HTTP User-Agent field.

Then, it goes on to say:

GET lfi.php?file=../../../proc/self/environ HTTP/1.1
User-Agent: <?php phpinfo();?>

Now if an attacker sends the above http request to the web server then :

  1. First the data on User-Agent field will written on the /proc/self/environ file.
  2. Then the page request "lfi.php?file=../../../proc/self/environ" will include the content of /proc/self/environ file into the output page and our payload is get executed.

Now, I understand the first part of it that when we include /proc/self/environ, a Linux based operating system fills the file with information related to the environment it was called from. In our case, it gets populated with the HTTP request as our environment happens to be a browser.

What I do not understand is why is the content of the HTTP request getting executed? Looking at it from a developer's standpoint, lfi.php gets executed and there's a function in the file that reads the content of the file passed to it as a parameter. So, the content of the file /proc/self/environ and by extension, the content of the HTTP request should be read and not executed. Can someone please explain what am I missing?

7_R3X
  • 606
  • 3
  • 12
  • 25
  • As said below, lfi is when the file is "included" via a function that executes code. Simply reading files is a traversal vulnerability or lfd, although many seems to confuse these two bug classes – wireghoul May 18 '21 at 13:31
  • In my humble opinion You should investigate on apache log poisoning to RCE – Marco Nappi Oct 16 '21 at 11:58

1 Answers1

0

I think when it works like that (if it works like that?) it's because in old versions of php, PHP code was executed as it was output by the server. In a normal .php file that is part html and part php, maybe the webserver would spit out all html until it hits a <?php statement and then starts executing the php code. I'm not quite sure because I can't replicate it with a modern copy of php.

For what it's worth I just tried it on a webhosting account that uses PHP 7.2.30 and it really doesn't seem to work that way (anymore?). I'm really not an expert. Obviously, if you include, include_once, require, etc a file from a variable it'll become RCE.

first test (wont work):

<?php
  readfile($_GET['lfi']);
?>

third test (will work):

<?php
      $str = $_GET['lfi'];
      include $str;
?>`

The wikipedia page just says that it needs to be a function that executes files, and then gives a good example of why someone might code an application that way. https://en.wikipedia.org/wiki/File_inclusion_vulnerability#PHP